October 26, 2013

When you see “https” instead of “http” in your address bar, you can typically rest assured that your connection with the web site you’re visiting is encrypted. This is done through TLS/SSL, a method of encryption that works with a number of transfer protocols (HTTP, or Hypertext Transfer Protocol, is one example of a transfer protocol). In most cases the encryption is paired with a public key certificate, which is a digital document that links a public key (used to encrypt the information) to a specific organization. These public keys let you know who you’re actually dealing with. Helpful web browsers will give you warnings if there’s any kind of mismatch between who the public key belongs to and who’s actually using it. For instance, you might get a message telling you that a server is identifying itself as abc.def.com, but that the key it’s using belongs to abd.def.com.

Occasionally this is because of a genuine attempt to scam you: someone’s using a pirated key and presenting themselves as, say, your bank, when in fact they are trying to steal your login information so they can gain access to your bank account. Fortunately, this is often because large organizations don’t obtain separate security certificates for each one of their many servers. Because the servers have different (but usually very similar) names, the browser thinks someone is trying to present themselves as someone they’re not. Unfortunately, because this can sometimes be a real attempt to steal your personal information, you should always be very cautious about accepting these spurious certificates. I always recommend checking with your IT administrator before going forward. This usually means extra time for you and them (writing and waiting for responses to emails), but it’s better than falling victim to a man-in-the-middle attack, where someone can intercept your information in transit and neither you nor the web site are any the wiser.